Bug#454529: two more CVEs
Michael Koch
konqueror at gmx.de
Wed Dec 19 13:34:15 UTC 2007
On Wed, Dec 05, 2007 at 11:45:41PM +0100, Steffen Joeris wrote:
> Hi
>
> There have been two more CVEs[0][1] for jetty:
>
> CVE-2007-5613:
>
> Cross-site scripting (XSS) vulnerability in Dump Servlet in Mortbay Jetty
> before 6.1.6rc1 allows remote attackers to inject arbitrary web script or
> HTML via unspecified parameters and cookies.
>
>
> CVE-2007-5614:
>
> Mortbay Jetty before 6.1.6rc1 does not properly handle "certain quote
> sequences" in HTML cookie parameters, which allows remote attackers to hijack
> browser sessions via unspecified vectors.
I have spoken with upstream about these three issues and they are
working on a solution for Jetty 5.1 for this. For Jetty 6 (which is not
yet in Debian) the issue was easy to fix due to its design. Jetty 5.1
needs some major work.
Cheers,
Michael
More information about the pkg-java-maintainers
mailing list